|
Vulnerabilities
< Back

CVE-2025-38465

Updated on 25 Jul 2025

Severity

5.5 Medium severity

Details

CVSS score
5.5
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

In the Linux kernel, the following vulnerability has been resolved:

netlink: Fix wraparounds of sk->sk_rmem_alloc.

Netlink has this pattern in some places

if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc);

, which has the same problem fixed by commit 5a465a0da13e (“udp: Fix multiple wraparounds of sk->sk_rmem_alloc.”).

For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int.

Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc.

Let’s fix it by using atomic_add_return() and comparing the two variables as unsigned int.

Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 *

After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `— INT_MAX - 576

Details

Affected product:
AlmaLinux 9.2 ESU , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 7 ELS , Oracle Linux 6 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , TuxCare 9.6 ESU , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS , Ubuntu 20.04 ELS
Affected packages:
linux-hwe @ 4.15.0 (+15 more)

In the Linux kernel, the following vulnerability has been resolved:

netlink: Fix wraparounds of sk->sk_rmem_alloc.

Netlink has this pattern in some places

if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc);

, which has the same problem fixed by commit 5a465a0da13e (“udp: Fix multiple wraparounds of sk->sk_rmem_alloc.”).

For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int.

Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc.

Let’s fix it by using atomic_add_return() and comparing the two variables as unsigned int.

Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 *

After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `— INT_MAX - 576

Fixes